/*
   SSSD

   NSS Responder

   Copyright (C) Simo Sorce <ssorce@redhat.com>	2008

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <string.h>
#include <sys/time.h>
#include <errno.h>
#include <popt.h>
#include <dbus/dbus.h>

#include "util/util.h"
#include "util/sss_ptr_hash.h"
#include "util/mmap_cache.h"
#include "responder/nss/nss_private.h"
#include "responder/nss/nss_iface.h"
#include "responder/nss/nsssrv_mmap_cache.h"
#include "responder/common/negcache.h"
#include "db/sysdb.h"
#include "confdb/confdb.h"
#include "responder/common/responder_packet.h"
#include "responder/common/responder.h"
#include "providers/data_provider.h"
#include "util/util_sss_idmap.h"
#include "sss_iface/sss_iface_async.h"

#define DEFAULT_PWFIELD "*"
#define DEFAULT_NSS_FD_LIMIT 8192

static errno_t
sss_nss_clear_memcache(TALLOC_CTX *mem_ctx,
                       struct sbus_request *sbus_req,
                       struct sss_nss_ctx *nctx)
{
    int memcache_timeout;
    errno_t ret;

    if (access(SSS_NSS_MCACHE_DIR"/"CLEAR_MC_FLAG, F_OK) < 0) {
        ret = errno;
        if (ret == ENOENT) {
            DEBUG(SSSDBG_TRACE_FUNC,
                  "CLEAR_MC_FLAG not found. Nothing to do.\n");
            return EOK; /* Most probably log rotation SIGHUP to monitor */
        } else {
            DEBUG(SSSDBG_CRIT_FAILURE,
                  "Failed to check existence of "CLEAR_MC_FLAG": %s.\n",
                  strerror(ret));
            return ret;
        }
    }

    /*
     * CLEAR_MC_FLAG flag file found.
     * This file existance indicates that SIGHUP was called by sss_cache
     * as trigger for the memory cache cleanup.
     * sss_cache is waiting for CLEAR_MC_FLAG file deletion
     * as confirmation that memory cache cleaning has finished.
     */

    ret = confdb_get_int(nctx->rctx->cdb,
                         CONFDB_NSS_CONF_ENTRY,
                         CONFDB_MEMCACHE_TIMEOUT,
                         300, &memcache_timeout);
    if (ret != EOK) {
        DEBUG(SSSDBG_FATAL_FAILURE,
              "Unable to get memory cache entry timeout [%s].\n",
              CONFDB_MEMCACHE_TIMEOUT);
        goto done;
    }

    DEBUG(SSSDBG_TRACE_FUNC, "Clearing memory caches.\n");
    ret = sss_mmap_cache_reinit(nctx,
                                -1, /* keep current size */
                                (time_t) memcache_timeout,
                                &nctx->pwd_mc_ctx);
    if (ret != EOK) {
        DEBUG(SSSDBG_CRIT_FAILURE,
              "passwd mmap cache invalidation failed\n");
        goto done;
    }

    ret = sss_mmap_cache_reinit(nctx,
                                -1, /* keep current size */
                                (time_t) memcache_timeout,
                                &nctx->grp_mc_ctx);
    if (ret != EOK) {
        DEBUG(SSSDBG_CRIT_FAILURE,
              "group mmap cache invalidation failed\n");
        goto done;
    }

    ret = sss_mmap_cache_reinit(nctx,
                                -1, /* keep current size */
                                (time_t)memcache_timeout,
                                &nctx->initgr_mc_ctx);
    if (ret != EOK) {
        DEBUG(SSSDBG_CRIT_FAILURE,
              "initgroups mmap cache invalidation failed\n");
        goto done;
    }

done:
    if (unlink(SSS_NSS_MCACHE_DIR"/"CLEAR_MC_FLAG) != 0) {
        if (errno != ENOENT)
            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to unlink file: %s.\n",
                  strerror(errno));
    }
    return ret;
}

static errno_t
sss_nss_clear_negcache(TALLOC_CTX *mem_ctx,
                       struct sbus_request *sbus_req,
                       struct sss_nss_ctx *nctx)
{
    errno_t ret;

    DEBUG(SSSDBG_TRACE_FUNC, "Clearing negative cache non-permament entries\n");

    ret = sss_ncache_reset_users(nctx->rctx->ncache);
    if (ret != EOK) {
        DEBUG(SSSDBG_CRIT_FAILURE,
              "Negative cache clearing users failed\n");
        goto done;
    }

    ret = sss_ncache_reset_groups(nctx->rctx->ncache);
    if (ret != EOK) {
        DEBUG(SSSDBG_CRIT_FAILURE,
              "Negative cache clearing groups failed\n");
        goto done;
    }

done:
    return ret;
}

static errno_t
sss_nss_clear_netgroup_hash_table(TALLOC_CTX *mem_ctx,
                                  struct sbus_request *sbus_req,
                                  struct sss_nss_ctx *nss_ctx)
{
    DEBUG(SSSDBG_TRACE_FUNC, "Invalidating netgroup hash table\n");

    sss_ptr_hash_delete_all(nss_ctx->netgrent, false);

    return EOK;
}

static int sss_nss_get_config(struct sss_nss_ctx *nctx,
                              struct confdb_ctx *cdb)
{
    int ret;
    char *tmp_str;
    static const char *orig_attrs[] = { SYSDB_SID_STR,
                                        ORIGINALAD_PREFIX SYSDB_NAME,
                                        ORIGINALAD_PREFIX SYSDB_UIDNUM,
                                        ORIGINALAD_PREFIX SYSDB_GIDNUM,
                                        ORIGINALAD_PREFIX SYSDB_HOMEDIR,
                                        ORIGINALAD_PREFIX SYSDB_GECOS,
                                        ORIGINALAD_PREFIX SYSDB_SHELL,
                                        SYSDB_UPN,
                                        SYSDB_DEFAULT_OVERRIDE_NAME,
                                        SYSDB_AD_ACCOUNT_EXPIRES,
                                        SYSDB_AD_USER_ACCOUNT_CONTROL,
                                        SYSDB_SSH_PUBKEY,
                                        SYSDB_USER_CERT,
                                        SYSDB_USER_EMAIL,
                                        SYSDB_ORIG_DN,
                                        SYSDB_ORIG_MEMBEROF,
                                        NULL };

    ret = confdb_get_int(cdb, CONFDB_NSS_CONF_ENTRY,
                         CONFDB_NSS_ENUM_CACHE_TIMEOUT, 120,
                         &nctx->enum_cache_timeout);
    if (ret != EOK) goto done;

    ret = confdb_get_bool(cdb, CONFDB_NSS_CONF_ENTRY,
                         CONFDB_NSS_FILTER_USERS_IN_GROUPS, true,
                         &nctx->filter_users_in_groups);
    if (ret != EOK) goto done;

    ret = confdb_get_int(cdb, CONFDB_NSS_CONF_ENTRY,
                         CONFDB_NSS_ENTRY_CACHE_NOWAIT_PERCENTAGE, 50,
                         &nctx->cache_refresh_percent);
    if (ret != EOK) goto done;
    if (nctx->cache_refresh_percent < 0 ||
        nctx->cache_refresh_percent > 99) {
        DEBUG(SSSDBG_FATAL_FAILURE,
              "Configuration error: entry_cache_nowait_percentage is "
                 "invalid. Disabling feature.\n");
        nctx->cache_refresh_percent = 0;
    }

    ret = sss_ncache_prepopulate(nctx->rctx->ncache, cdb, nctx->rctx);
    if (ret != EOK) {
        goto done;
    }

    ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
                            CONFDB_NSS_PWFIELD, DEFAULT_PWFIELD,
                            &nctx->pwfield);
    if (ret != EOK) goto done;

    ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
                            CONFDB_NSS_OVERRIDE_HOMEDIR, NULL,
                            &nctx->override_homedir);
    if (ret != EOK) goto done;

    ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
                            CONFDB_NSS_FALLBACK_HOMEDIR, NULL,
                            &nctx->fallback_homedir);
    if (ret != EOK) goto done;

    ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
                            CONFDB_NSS_HOMEDIR_SUBSTRING,
                            CONFDB_DEFAULT_HOMEDIR_SUBSTRING,
                            &nctx->homedir_substr);
    if (ret != EOK) goto done;


    ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
                            CONFDB_IFP_USER_ATTR_LIST, NULL, &tmp_str);
    if (ret != EOK) goto done;

    if (tmp_str == NULL) {
        ret = confdb_get_string(cdb, nctx, CONFDB_IFP_CONF_ENTRY,
                                CONFDB_IFP_USER_ATTR_LIST, NULL, &tmp_str);
        if (ret != EOK) goto done;
    }

    if (tmp_str != NULL) {
        nctx->extra_attributes = parse_attr_list_ex(nctx, tmp_str, NULL);
        if (nctx->extra_attributes == NULL) {
            ret = ENOMEM;
            goto done;
        }
    }

    ret = add_strings_lists_ex(nctx, nctx->extra_attributes, orig_attrs, false,
                               true, &nctx->full_attribute_list);
    if (ret != EOK) {
        ret = ENOMEM;
        goto done;
    }

    ret = 0;
done:
    return ret;
}

static int setup_memcaches(struct sss_nss_ctx *nctx)
{
    /* Default memcache sizes */
    static const size_t SSS_MC_CACHE_SLOTS_PER_MB   = 1024*1024/MC_SLOT_SIZE;
    static const size_t SSS_MC_CACHE_PASSWD_SIZE    =  8;
    static const size_t SSS_MC_CACHE_GROUP_SIZE     =  6;
    static const size_t SSS_MC_CACHE_INITGROUP_SIZE = 10;
    static const size_t SSS_MC_CACHE_SID_SIZE       =  6;

    int ret;
    int memcache_timeout;
    int mc_size_passwd;
    int mc_size_group;
    int mc_size_initgroups;
    int mc_size_sid;

    /* Remove the CLEAR_MC_FLAG file if exists. */
    ret = unlink(SSS_NSS_MCACHE_DIR"/"CLEAR_MC_FLAG);
    if (ret != 0 && errno != ENOENT) {
        ret = errno;
        DEBUG(SSSDBG_CRIT_FAILURE,
              "Failed to unlink file [%s]. This can cause memory cache to "
               "be purged when next log rotation is requested. %d: %s\n",
               SSS_NSS_MCACHE_DIR"/"CLEAR_MC_FLAG, ret, strerror(ret));
    }

    ret = confdb_get_int(nctx->rctx->cdb,
                         CONFDB_NSS_CONF_ENTRY,
                         CONFDB_MEMCACHE_TIMEOUT,
                         300, &memcache_timeout);
    if (ret != EOK) {
        DEBUG(SSSDBG_FATAL_FAILURE,
              "Failed to get 'memcache_timeout' option from confdb.\n");
        return ret;
    }

    /* Get all memcache sizes from confdb (pwd, grp, initgr, sid) */

    ret = confdb_get_int(nctx->rctx->cdb,
                         CONFDB_NSS_CONF_ENTRY,
                         CONFDB_NSS_MEMCACHE_SIZE_PASSWD,
                         SSS_MC_CACHE_PASSWD_SIZE,
                         &mc_size_passwd);
    if (ret != EOK) {
        DEBUG(SSSDBG_FATAL_FAILURE,
              "Failed to get '"CONFDB_NSS_MEMCACHE_SIZE_PASSWD
              "' option from confdb.\n");
        return ret;
    }

    ret = confdb_get_int(nctx->rctx->cdb,
                         CONFDB_NSS_CONF_ENTRY,
                         CONFDB_NSS_MEMCACHE_SIZE_GROUP,
                         SSS_MC_CACHE_GROUP_SIZE,
                         &mc_size_group);
    if (ret != EOK) {
        DEBUG(SSSDBG_FATAL_FAILURE,
              "Failed to get '"CONFDB_NSS_MEMCACHE_SIZE_GROUP
              "' option from confdb.\n");
        return ret;
    }

    ret = confdb_get_int(nctx->rctx->cdb,
                         CONFDB_NSS_CONF_ENTRY,
                         CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS,
                         SSS_MC_CACHE_INITGROUP_SIZE,
                         &mc_size_initgroups);
    if (ret != EOK) {
        DEBUG(SSSDBG_FATAL_FAILURE,
              "Failed to get '"CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS
              "' option from confdb.\n");
        return ret;
    }

    ret = confdb_get_int(nctx->rctx->cdb,
                         CONFDB_NSS_CONF_ENTRY,
                         CONFDB_NSS_MEMCACHE_SIZE_SID,
                         SSS_MC_CACHE_SID_SIZE,
                         &mc_size_sid);
    if (ret != EOK) {
        DEBUG(SSSDBG_FATAL_FAILURE,
              "Failed to get '"CONFDB_NSS_MEMCACHE_SIZE_SID
              "' option from confdb.\n");
        return ret;
    }

    /* Initialize the fast in-memory caches if they were not disabled */

    ret = sss_mmap_cache_init(nctx, "passwd",
                              SSS_MC_PASSWD,
                              mc_size_passwd * SSS_MC_CACHE_SLOTS_PER_MB,
                              (time_t)memcache_timeout,
                              &nctx->pwd_mc_ctx);
    if (ret) {
        DEBUG(SSSDBG_CRIT_FAILURE,
              "Failed to initialize passwd mmap cache: '%s'\n",
              sss_strerror(ret));
    }

    ret = sss_mmap_cache_init(nctx, "group",
                              SSS_MC_GROUP,
                              mc_size_group * SSS_MC_CACHE_SLOTS_PER_MB,
                              (time_t)memcache_timeout,
                              &nctx->grp_mc_ctx);
    if (ret) {
        DEBUG(SSSDBG_CRIT_FAILURE,
              "Failed to initialize group mmap cache: '%s'\n",
              sss_strerror(ret));
    }

    ret = sss_mmap_cache_init(nctx, "initgroups",
                              SSS_MC_INITGROUPS,
                              mc_size_initgroups * SSS_MC_CACHE_SLOTS_PER_MB,
                              (time_t)memcache_timeout,
                              &nctx->initgr_mc_ctx);
    if (ret) {
        DEBUG(SSSDBG_CRIT_FAILURE,
              "Failed to initialize initgroups mmap cache: '%s'\n",
              sss_strerror(ret));
    }

    ret = sss_mmap_cache_init(nctx, "sid",
                              SSS_MC_SID,
                              mc_size_sid * SSS_MC_CACHE_SLOTS_PER_MB,
                              (time_t)memcache_timeout,
                              &nctx->sid_mc_ctx);
    if (ret) {
        DEBUG(SSSDBG_CRIT_FAILURE,
              "Failed to initialize sid mmap cache: '%s'\n",
              sss_strerror(ret));
    }

    return EOK;
}

static errno_t
sss_nss_register_service_iface(struct sss_nss_ctx *nss_ctx,
                           struct resp_ctx *rctx)
{
    errno_t ret;

    SBUS_INTERFACE(iface_svc,
        sssd_service,
        SBUS_METHODS(
            SBUS_SYNC(METHOD, sssd_service, rotateLogs, responder_logrotate, rctx),
            SBUS_SYNC(METHOD, sssd_service, clearEnumCache, sss_nss_clear_netgroup_hash_table, nss_ctx),
            SBUS_SYNC(METHOD, sssd_service, clearMemcache, sss_nss_clear_memcache, nss_ctx),
            SBUS_SYNC(METHOD, sssd_service, clearNegcache, sss_nss_clear_negcache, nss_ctx)
        ),
        SBUS_SIGNALS(SBUS_NO_SIGNALS),
        SBUS_PROPERTIES(
            SBUS_SYNC(GETTER, sssd_service, debug_level, generic_get_debug_level, NULL),
            SBUS_SYNC(SETTER, sssd_service, debug_level, generic_set_debug_level, NULL)
        )
    );

    ret = sbus_connection_add_path(rctx->sbus_conn, SSS_BUS_PATH, &iface_svc);
    if (ret != EOK) {
        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register service interface"
              "[%d]: %s\n", ret, sss_strerror(ret));
    }

    return ret;
}

int sss_nss_process_init(TALLOC_CTX *mem_ctx,
                         struct tevent_context *ev,
                         struct confdb_ctx *cdb)
{
    struct resp_ctx *rctx;
    struct sss_cmd_table *nss_cmds;
    struct sss_nss_ctx *nctx;
    int ret;
    enum idmap_error_code err;
    int fd_limit;

    nss_cmds = get_sss_nss_cmds();

    ret = sss_process_init(mem_ctx, ev, cdb,
                           nss_cmds,
                           SSS_NSS_SOCKET_NAME, SCKT_RSP_UMASK,
                           CONFDB_NSS_CONF_ENTRY,
                           SSS_BUS_NSS, NSS_SBUS_SERVICE_NAME,
                           sss_nss_connection_setup,
                           &rctx);
    if (ret != EOK) {
        DEBUG(SSSDBG_FATAL_FAILURE, "sss_process_init() failed\n");
        return ret;
    }

    nctx = talloc_zero(rctx, struct sss_nss_ctx);
    if (!nctx) {
        DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing nss_ctx\n");
        ret = ENOMEM;
        goto fail;
    }

    nctx->rctx = rctx;
    nctx->rctx->pvt_ctx = nctx;

    ret = sss_nss_get_config(nctx, cdb);
    if (ret != EOK) {
        DEBUG(SSSDBG_FATAL_FAILURE, "fatal error getting nss config\n");
        goto fail;
    }

    err = sss_idmap_init(sss_idmap_talloc, nctx, sss_idmap_talloc_free,
                         &nctx->idmap_ctx);
    if (err != IDMAP_SUCCESS) {
        DEBUG(SSSDBG_FATAL_FAILURE, "sss_idmap_init failed.\n");
        ret = EFAULT;
        goto fail;
    }

    nctx->pwent = talloc_zero(nctx, struct sss_nss_enum_ctx);
    if (nctx->pwent == NULL) {
        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize pwent context!\n");
        ret = ENOMEM;
        goto fail;
    }

    nctx->grent = talloc_zero(nctx, struct sss_nss_enum_ctx);
    if (nctx->grent == NULL) {
        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize grent context!\n");
        ret = ENOMEM;
        goto fail;
    }

    nctx->svcent = talloc_zero(nctx, struct sss_nss_enum_ctx);
    if (nctx->svcent == NULL) {
        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize svcent context!\n");
        ret = ENOMEM;
        goto fail;
    }

    nctx->netgrent = sss_ptr_hash_create(nctx, NULL, NULL);
    if (nctx->netgrent == NULL) {
        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize netgroups table!\n");
        ret = EFAULT;
        goto fail;
    }

    nctx->hostent = talloc_zero(nctx, struct sss_nss_enum_ctx);
    if (nctx->hostent == NULL) {
        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize hostent context!\n");
        ret = ENOMEM;
        goto fail;
    }

    nctx->netent = talloc_zero(nctx, struct sss_nss_enum_ctx);
    if (nctx->netent == NULL) {
        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize netent context!\n");
        ret = ENOMEM;
        goto fail;
    }

    ret = setup_memcaches(nctx);
    if (ret != EOK) {
        goto fail;
    }

    /* Set up file descriptor limits */
    ret = confdb_get_int(nctx->rctx->cdb,
                         CONFDB_NSS_CONF_ENTRY,
                         CONFDB_SERVICE_FD_LIMIT,
                         DEFAULT_NSS_FD_LIMIT,
                         &fd_limit);
    if (ret != EOK) {
        DEBUG(SSSDBG_FATAL_FAILURE,
              "Failed to set up file descriptor limit\n");
        goto fail;
    }
    responder_set_fd_limit(fd_limit);

    ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache,
                                    NULL, NULL);
    if (ret != EOK) {
        DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
        goto fail;
    }

    /* The responder is initialized. Now tell it to the monitor. */
    ret = sss_monitor_register_service(rctx, rctx->sbus_conn,
                                       NSS_SBUS_SERVICE_NAME,
                                       NSS_SBUS_SERVICE_VERSION,
                                       MT_SVC_SERVICE);
    if (ret != EOK) {
        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register to the monitor "
              "[%d]: %s\n", ret, sss_strerror(ret));
        goto fail;
    }

    ret = sss_nss_register_backend_iface(nctx->rctx->sbus_conn, nctx);
    if (ret != EOK) {
        goto fail;
    }

    ret = sss_nss_register_service_iface(nctx, rctx);
    if (ret != EOK) {
        goto fail;
    }

    DEBUG(SSSDBG_TRACE_FUNC, "NSS Initialization complete\n");

    return EOK;

fail:
    talloc_free(rctx);
    return ret;
}

int main(int argc, const char *argv[])
{
    int opt;
    poptContext pc;
    char *opt_logger = NULL;
    struct main_context *main_ctx;
    int ret;

    struct poptOption long_options[] = {
        POPT_AUTOHELP
        SSSD_MAIN_OPTS
        SSSD_LOGGER_OPTS
        SSSD_RESPONDER_OPTS
        POPT_TABLEEND
    };

    /* Set debug level to invalid value so we can decide if -d 0 was used. */
    debug_level = SSSDBG_INVALID;

    umask(DFL_RSP_UMASK);

    pc = poptGetContext(argv[0], argc, argv, long_options, 0);
    while((opt = poptGetNextOpt(pc)) != -1) {
        switch(opt) {
        default:
            fprintf(stderr, "\nInvalid option %s: %s\n\n",
                  poptBadOption(pc, 0), poptStrerror(opt));
            poptPrintUsage(pc, stderr, 0);
            return 1;
        }
    }

    poptFreeContext(pc);

    /* set up things like debug, signals, daemonization, etc. */
    debug_log_file = "sssd_nss";
    DEBUG_INIT(debug_level, opt_logger);

    ret = server_setup("nss", true, 0, CONFDB_FILE,
                       CONFDB_NSS_CONF_ENTRY, &main_ctx, false);
    if (ret != EOK) return 2;

    ret = die_if_parent_died();
    if (ret != EOK) {
        /* This is not fatal, don't return */
        DEBUG(SSSDBG_OP_FAILURE,
              "Could not set up to exit when parent process does\n");
    }

    ret = sss_nss_process_init(main_ctx,
                               main_ctx->event_ctx,
                               main_ctx->confdb_ctx);
    if (ret != EOK) return 3;

    /* loop on main */
    server_loop(main_ctx);

    return 0;
}

